EzDevInfo.com

ssl-certificate interview questions

Top ssl-certificate frequently asked interview questions

How to view all ssl certificates in a bundle?

I have a certificate bundle .crt file.

doing openssl x509 -in bundle.crt -text -noout only shows the root certificate.

how do i see all the other certificates?


Source: (StackOverflow)

How does this kind of SSL work?

"Issued to" and "Domain Name" doesn't match but still valid and accepted by all major browsers without any warning.

While previewing my blog post in Blogger, I noticed that my blog was previewed via SSL. When I checked the certificate information, I noticed that "Issued To" and "Domain Name" didn't match. Here's a screenshot.

Blogger SSL Certificate

Domain name was techronak.blogspot.com but SSL certificate was issued to *.googleusercontent.com and the best thing was my browser (Chromium) didn't issue any kind of SSL warning.

How does this kind of SSL Certificates work?


Source: (StackOverflow)

Advertisements

Must CSRs be generated on the server that will host the SSL certificate?

Is it necessary to generate the CSR (Certificate Signing Request) on the same machine that will host my web application and SSL certificate?

This page on SSL Shopper says so, but I'm not sure if that's true, because it would mean I'd have to buy a separate SSL certificate for each server in my cluster.

What is a CSR? A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on.


Source: (StackOverflow)

Why do I need to purchase an SSL certificate when I can generate one locally?

I am having trouble understanding why we need to purchase SSL certificates when we can generate them locally using openSSL. What is the difference between the certificate I purchase and a test certificate I generate locally? Is it just a big scam?


Source: (StackOverflow)

SSL Certificate Location on UNIX/Linux

Is there any standard or convention for where SSL certificates and associated private keys should go on the UNIX/Linux filesystem?

Thanks.


Source: (StackOverflow)

How can I work around problems with certificate configuration in Remote Desktop Services?

I am setting up a Remote Desktop Services farm, and am having trouble configuring certificates for it to use. A demonstration of the problem I'm seeing can be found in Step #4.

At this point I am convinced that there are problems with the user interface, and am looking for ways around them. Is there any way to configure certificates in Remote Desktop Services so that the settings hold and are reflected in the GUI? If not, is there any way for me to verify that the settings are correct?

Step #1 - Create certificate to be used.

I've configured a certificate to use with RD Web Access. The certificate is stored with in the Certificates MMC on my RD Connection Broker, and I am configuring the farm from that computer. certificate

I found by letting RD Web Access generate its own certificate that the following properties are required:

  • Enhanced Key Usage
    • Server Authentication
    • Client Authentication
      • This may not be required, but the self-signed certificate includes it.
  • Key Usage
    • Digital Signature
    • Key Agreement
  • Subject Alternative Name
    • DNS Name=domain.com

Detour about self-signed certificate generation

As a quick detour, I was able to work around a problem with creating self-signed certificates using powershell. The documentation for the New-RDCertificate cmdlet gives the following example:

PS C:\> $password = ConvertTo-SecureString -string "password" -asplaintext -force
New-RDCertificate -Role RDWebAccess -DnsName "test-rdwa.contoso.com" -Password $password -ConnectionBroker rdcb.contoso.com -ExportPath "c:\test-rdwa.pfx"

Typing this into the shell will result in an error message claiming that a function, Get-Server cannot be found. Prior to using New-RDCertificate, you must import the RemoteDesktop Module with Import-Module RemoteDesktop.

Step #2 - Observe out-of-box behavior

The first time you visit the Deployment Properties dialog box by navigating to Server Manager -> Remote Desktop Services -> Collections and selecting "Edit Deployment Properties" from the "TASKS" dropdown list in the "COLLECTIONS" grouping, you will see the following screen: enter image description here

This window is misleading because the level field is listed as "Not Configured". If I understand correctly all three of the role services are using a self-signed certificate. For the RD Web Access role this can be verified by visiting the website: certificate error

The certificate being used also appears in the Certificates MMC: certificates MMC showing the RD Web Access certificate

Step #3 - Assign new certificate

The Deployment Properties dialog box will allow me to select my existing certificate. The certificate must be placed within the local computers Certificates MMC in the "Personal" certificate store. The private key will need to be exportable, and you will need to provide the password. I temporarily exported my certificate to a file named temp.pfx with a password, and then imported it into Remote Desktop Services from there.

Once this is done the GUI will indicate that it is ready to accept the new configuration. ready to accept certificate

Once I click the "Apply" button, the GUI indicates success. enter image description here

This can be verified by visiting the RD Web Access web site a second time. There is no certificate error. enter image description here

Step #4 - The GUI fails to maintain its state

If the GUI is closed and reopened, all of these settings appear to be lost. settings are lost

Actually, the certificate I configured is still being used. I am able to continue accessing the RD Web Access site without any certificate errors.

Oddly, if I use the "Create new certificate..." button to generate a self-signed certificate this window will update to an "Untrusted" level. This setting will then be maintained through the opening and closing of the Deployment Properties dialog box.

Is there anything I can do to have my settings appear to stick? I feel like something is wrong when the GUI claims I haven't fully configured certificates.


Source: (StackOverflow)

Is a Self Signed SSL Certificate a False Sense of Security?

Is a Self Signed SSL certificate a false sense of security?

If you are being eavesdropped, the user will simply accept the certificate like he/she always does.


Source: (StackOverflow)

How to decide where to purchase a wildcard SSL certificate?

Recently I needed to purchase a wildcard SSL certificate (because I need to secure a number of subdomains), and when I first searched for where to buy one I was overwhelmed with the number of choices, marketing claims, and price range. I created a list to help me see passed the marketing gimmicks that the greater majority of the Certificate Authorities (CAs) plaster all over their sites. In the end my personal conclusion is that pretty much the only things that matter are the price and the pleasantness of the CA's website.

Question: Besides price and a nice website, is there anything worthy of my consideration in deciding where to purchase a wildcard SSL certificate?


Source: (StackOverflow)

Should a wildcard SSL certificate secure both the root domain as well as the sub-domains?

I ask this question, because Comodo are telling me that a wildcard certificate for *.example.com will also secure the root domain example.com. So with a single certificate, both my.example.com and example.com are secured without warning from a browser.

However, this is not the case with the certificate I've been provided. My sub-domains are secured fine and do not give an error, but the root domain throws up an error in the browser, saying the identify can't be verified.

When I compare this certificate to other similar scenarios, I see that in the scenarios that work without error, the Subject Alternative Name (SAN) lists both *.example.com and example.com, whereas the recent certificate from Comodo only lists *.example.com as the Common Name and NOT example.com as the Subject Alternative Name.

Can anyone confirm/clarify that the root domain should be listed in SAN details if it is also to be secured correctly?

When I read this: http://www.digicert.com/subject-alternative-name.htm It seems that the SAN must list both in order to work as I need it to. What's your experience?

Thanks very much.


Source: (StackOverflow)

SSL Error - unable to read server certificate from file

I've been setting up SSL for my domain today, and have struck another issue - I was hoping someone could shed some light on..

I keep receiving the following error messages:

[error] Init: Unable to read server certificate from file /etc/apache2/domain.com.ssl/domain.com.crt/domain.com.crt
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

I'm running Apache 2.2.16 and Ubuntu 10.10. My .crt file has the Begin and End tags, and has been copied exactly from the confirmation email I received, very frustrating!

Cheers!

Edit >> When trying to verify the .crt It doesn't seem to work:

>> openssl x509 -noout -text -in domain.com.crt 
unable to load certificate
16851:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

Also >>

>> openssl x509 -text -inform PEM -in domain.com.crt
unable to load certificate
21321:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
>> openssl x509 -text -inform DER -in domain.com.crt
unable to load certificate
21325:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1316:
21325:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

Edit>> (Cheers for the help by the way)

>> grep '^-----' domain.com.crt
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Just emailed the company providing the Certificate, they responded>

I have checked the CSR file that you have provided and I can assure that this was correctly generated. The error that you are currently encountering is caused because you are using a wrong command line for installing the CSR. You will need to modify this domain.com.crt from your command line with the according name of your domain.

  • currently the crt is set up to mysite.com.crt - I've used domain.com.crt as an example

Source: (StackOverflow)

Apache: SSLCertificateKeyFile: file does not exist or is empty

I am configuring SSL for Apache 2. My system is Ubuntu Server 10.04 LTS. I have the following settings related to SSL in my vhost configuration:

SSLEngine On
SSLCertificateKeyFile /etc/ssl/private/server.insecure.key
SSLCertificateFile    /etc/ssl/certs/portal.selfsigned.crt

(Side note: I am using .insecure for the key file because the file is not passphrase-protected, and I like to clearly see that it is an insecure key file)

So, when I restart apache I get the following message:

Syntax error on line 39 of /etc/apache2/sites-enabled/500-portal-https:
SSLCertificateKeyFile: file '/etc/ssl/private/server.insecure.key' does not exist or is empty
Error in syntax. Not restarting.

But the file is there, and is not empty (actually it contains a private key):

sudo ls -l /etc/ssl/private/server.insecure.key
-rw-r----- 1 root www-data 887 2012-08-07 15:14 /etc/ssl/private/server.insecure.key
sudo ls -ld /etc/ssl/private/
drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private/

I have tried changing the ownership, using two groups www-data and ssl-cert. I am not sure which is the right one in Ubuntu: by default Ubuntu uses ssl-cert, but on the other hand the apache processes run with user www-data: it is started by user root, but changes to www-data at some point, and I am not sure when are the certificates read.

But anyway, changing the group owner has not improved the situation. My questions are:

  1. What else could I try to get this working?
  2. How can I verify that my keyfile is a valid keyfile?
  3. How can I verify that the keyfile and the certificate (/etc/ssl/certs/portal.selfsigned.crt) work together?

I think that Apache is giving a misleading error message, and I would like to pinpoint the error.


Source: (StackOverflow)

Certificate does not have a name

I've successfully managed to install an ssl-certificate in IIS, however the 'Name' column is showing as blank even though I entered a friendly name. Is there any way to rectify this? I grabbed a screenshot from Google Images which also exhibits the same issue, so it seems I'm not the only one.

enter image description here


Source: (StackOverflow)

Does it matter where the CSR and key files for SSL certification are generated?

I have to create a CSR for a wildcard SSL certificate. Some FAQs from SSL providers say that I should generate the CSR file on the machine where I want to install the certificate? My understanding is that it should not matter where I generate the CSR or the key file as long as I move the files to the right location later.

So my question is: Does it matter where the CSR and key files for SSL certification are generated?


Source: (StackOverflow)

Can MS Certificate Services be a Subordinate to CA created with OpenSSL

I want to setup a enterprise certification authority for my domain. So I can issue certificates for various purposes. I would like to follow the best practice of having an offline CA as the root, and setup my enterprise CA as a subordinate. But it seems silly to license a fully copy of Windows for this task.

What I am hoping to be able to do is to install some live distribution onto a USB flash disk, and then install openssl, and setup my CA on flash drive. When I am ready to build the root key/cert I will disconnect the computer from the network, and then never use that USB disk on a network attached computer again.

Will I be able to properly sign and create a subordinate CA certificate for a Windows enterprise CA, that will be usable. What options do I need to use with OpenSSL to build the CA and sign the subordinate CA certificate properly.

I have attempted searched the web, and the this was the only thing I could find on the subject. But it predates 2008, and I am not entirely sure the person was every successful.


Source: (StackOverflow)

Save Remote SSL Certificate via Linux Command Line

Can you think of any linux command-line method for saving the certificate presented by a HTTPS server? Something along the lines of having curl/wget/openssl make a SSL connection and save the cert rather than the HTTP response content.

The gui equivalent to what I'm looking for would be to browse to the HTTPS site, double-click on the browser "secure site" icon, and export the cert. Except the goal here is to do it non-interactively.

Thanks, Jim


Source: (StackOverflow)